Form replay

Since LemonLDAP::NG 0.9.4

Presentation

Form replay allows you to open a session on a protected application by replaying the form POST without asking anything to the user.

Warning: this kind of SSO mechanism is not clean, and can lead to problems, like local password blocking, local session not well closed, etc. Please always try to find another solution to protect your application with LemonLDAP::NG.

How it works

If you configure form replay with LemonLDAP::NG, the Handler will catch configured POST urls and send a POST query to the target page (which can be different of the catched page). Each field can be filled with static values or data from user's session (like $uid, $cn, etc.).

LemonLDAP::NG can catch a GET request and transform it internally in a POST request. All this works is transparent for the user, he cannot see what data are posted by LemonLDAP::NG.

Replay user's password

To post user's password, you should have set up the storePassword parameter. In this case you will be able to use $_password to fill any password POST field.

Known limitations in LemonLDAP::NG 0.9.4

Configuration

You should grab some informations: For example: Then edit handler/MyHandler.pm and add:

post => {
    '/login.php' => {
        postUrl => '/process.php',
        expr => 'login => $uid, password => $_password, static => StaticValue, remember => 1',
    },
},

You can add other form replay inside post configuration:

post => {
    '/uri1' => {
        …
    },
    '/uri2' => {
        …
    },
    '/uri3' => {
        …
    },
},